Region-specific malware puzzles the threat detection team
Our customer is one of the largest privately owned American corporations, whose operations span trading, transportation, and marketing of a variety of commodities, as well as production and distribution of popular ingredients found in many foods and agricultural products around the world. The company relies on sophisticated digital technology in every aspect of their operations; and keeping networks and data safe is the main charter of the company’s SOC team.
When malware is detected, SOC analysts mobilize to gather as much information as possible about the nature of the attack and the likely perpetrators. With operations in more than 60 countries, the SOC is used to seeing different types of threats pop up in different parts of the world. Often, such region-specific malware presents additional challenges. For example, the same phishing emails kept appearing every week in the company’s South American headquarters. But when SOC analysts tried to download and analyze the phishing kits, their out-of-area IP addresses were blocked, restricting the researchers’ ability to triage the threat. After several recurrences of the same malware, the issue was escalated to the next level, with more senior SOC personnel taking charge.
Using a separate LAN connection, a Level 2 threat response team attempted to engage with the South American malware. They used a dedicated “dirty” network, but even with VPN disguising the analysts’ location, SOC researchers were blocked from accessing the phishing kit. The team needed a solution that would help manage attribution, rather than simply hide it, allowing them to interact with malware without raising alarms and triggering blocks. They needed to blend in with the local traffic, coming in from the right location, in the right time zone, using correct keyboard and language settings, using the popular browser and OS for the region. Without all of these details matching up, the persistent malware would never reveal its dark secrets.
VPNs weren’t solving the problem. The team needed to manage attribution, rather than simply hide it, allowing them to interact with malware — without raising alarms and triggering blocks.
-Silo for Research helps threat hunters get the intelligence they need
The company’s specialized threat hunter team used Silo for Research to access malware through one of the regional internet egress nodes. Since the traffic appeared to be coming from the correct location, with all the local settings, it didn’t tip off the attackers, and the company’s investigators were able to successfully download the phishing kit and execute the malware to better understand its purpose and functions. Once they analyzed the malware, they devised a plan on how to better protect the company’s networks against similar attacks going forward.
Even with strong perimeter security and continuous user education, phishing remains a constant threat. It’s only a matter of time before someone clicks on a benign-looking link or attachment, opening the door for malware. With Silo for Research, analysts have a specialized solution to follow up on any suspicious content and engage with malware — without exposing their computers and networks to potential danger while controlling their digital fingerprint. All investigation work is done with detailed management of the information disclosed to investigative targets to prevent any potential retribution. In addition to an extensive network of egress nodes to disguise your location, Silo for Research manages attribution to control language, time zone and keyboard settings, as well as the browser, OS and other elements to blend in with local traffic.
Silo for Research provides full isolation from toxic content, along with an extensive array of investigation tools, such as screenshot capture and annotation, shared storage, collaboration features and a comprehensive set of policies to protect the chain of custody for important evidence and provide an audit trail.
Going forward, the company has established a standard workflow, where the initial response team identifies and triages a potential threat, then escalates it to the Level 2 investigators and threat hunters, who use Silo for Research to further engage with the threat; investigate the people or organizations behind it; and make suggestions on proactive measures to reinforce the company’s security to protect against similar attacks in the future.